I remember watching some tech show that presented the potential negatives of NFC wallets as easy targets for e-thiefs. They’ll simply pass you and upon NFC contact, you’ll get charged.

Ars Technica highlights this issue on Android and Nokia handsets with NFC based on 6 months of research by Charlie Miller. Regarding Nokia NFC, they look at the Nokia N9.

“Code on the attacker-controlled chip or handset is beamed to the target phone over the air, then opens malicious files or webpages that exploit known vulnerabilities in a document reader or browser, or in some cases in the operating system itself.”

NFC on the N9 is not on by default. It makes sense now I think about security issues (though not in terms of usability issues).

Advertisements

NFC on the N9 isn’t turned on by default, but once it’s enabled, it too will accept malicious content and requests with no prompting. Among the easiest and most damaging attacks are those that use NFC to establish a Bluetooth connection with another device. Once NFC is turned on, an N9 will automatically accept all connection requests with no prompting

… in range, he can force it to make phone calls, send text messages, or upload and download proprietary files, including contact lists

Nokia officials apparently responded, acknowledging these issues:

Nokia takes product security issues seriously. Nokia is aware of the NFC-research done by Charlie Miller and are actively investigating the claims concerning Nokia N9. Although it is unlikely that such attacks would occur on a broad scale given the unique circumstances, Nokia is currently investigating the claims using our normal processes and comprehensive testing. Nokia is not aware of any malicious incidents on the Nokia N9 due to the alleged vulnerabilities

Hey, thanks for reading my post. My name is Jay and I'm a medical student at the University of Manchester. When I can, I blog here at mynokiablog.com and tweet now and again @jaymontano. We also have a twitter and facebook accounts @mynokiablog and Facebook.com/mynokiablog.
Check out the tips, guides and rules for commenting >>click<<
Contact us at tips(@)mynokiablog.com or email me directly on jay[at]mynokiablog.com

Sounds scary, can’t believe I never thought of how simple it would be to use it like that; all it takes is a simple “bump” in a crowded street and you’ll be charged.

disguy

Why not? Same thing can happen to your cc sitting in your back pocket. They bump into you and get your cc number. Problem with this is not only getting random charges but getting your files hacked. Nudies Galore.

skint

The NFC on the N9 is only active when the screen is unlocked, so chances of a bump into your pocket accessing it is very unlikely. Also Nokia have stated that the NFC on the N9 does not meet security standards for NFC payment so I see this as a non issue.

m

Jay,
you should post excerpts from the TMO thread regarding this and you’ll see while NFC is not totally safe there is not much to panic if its kept off. Arie’s response is one of the best as he too was at black hat watching this live…

I also saw it at def con. I spoke to Charlie Miller. I will post more on the tmo thread when I get back from def con.

The vulnerability has been blown way out of proportion.

lmiked

Well, I have the N9 now for almost half a year and never used it… So it’s always turned off. And then, even if its on, isn’t it required for the devices to be very close, almost touch even for it to communicate?
And… How would I be charged in case anyone was able to communicate with my device through NFC? Would it charge my phone bill? Or what? Lol
sorry, I’m just not aware of how this could be dangerous.

Gerii

I think it could theoretically emulate a Bluetooth headset and then call a premium number.
But there’s an option on the N9 to ask the user when a device wants to connect to the N9 via NFC. Just turn it on and you should be safe.

lmiked

exactly!!! That’s just what I was going to say, there is an option on N9 called confirm sharing and connecting which you can activate, so it probably it asks you if you want to accept every connection/transfer/sharing.

reptile

I think it’s only safer on Symbian because it requires the user to confirm when it tries to access something thru NFC. At least, I think it does that for everything. I know it does that for the picture transfers, not sure about the other NFC features.

Lucillda Wellington

buhahahaha whatever to say, you haven’t even mentioned W problems with safety. That is tha pain in…
I think N9 now is the most save and secure mobile on the whole market. And will be for nex at last 3-5 years.
Mentioned problem is only a question of prope settings of the mobile.
I don’t buy it, it’s an example of non objective approach to certain products by Nokia of Nokia….. and funy one rather…..

Gäst

I don’t think this is an OS problem but rather an NFC feature thats misused.
But i can see how it could be used for “skimming” NFC payments with false NFC chipsets.

lmiked

But isn’t information like name, credit card number, expiry date, and security code needed for a payment to be made? So unless you have all that stored in your phone, you have nothing to worry about… Plus, when you’re not using NFC, just switch it off, not only you’re protected, but it’ll also probably save you some battery, and last but not least, the N9 does include the option to allow you to confirm sharing and connecting.